Sponsor for PC Pals Forum

Author Topic: monitor.exe  (Read 1672 times)

Offline daveeb

  • Loyal Member
  • *****
  • Posts: 4216
monitor.exe
« on: June 25, 2004, 21:06 »
more virus shenanigans.  i got the BLOODHOUND.EXPLOIT.10 virus which norton intercepted.  i also ran spybot which removed amongst other things 2 copies of "prolivation" prefix changes in the registry which i havent seen before. my homepage had also been changed to some sort of product search engine. (which i've changed back to my normal homepage)

now when i boot i get 2 messages about not being able to find monitor.exe.  i checked the entry in STARTUP and found it listed under EXPLORER.  i removed this from the startup programs but still get the message about explorer.exe when i boot up, and i'm also told that the system configuration utility is in diagnostic or selective startup mode, choose normal mode to start windows normally & undo changes made using system configuration utility.

If i do this i'm back to the monitor.exe messages.  grrrrr

any ideas as its annoying me.  the pc seems fine otherwise

Offline Simon

  • Administrator
  • *****
  • Posts: 77923
  • First to score 7/7 in Quiz of The Week's News 2017
Re:monitor.exe
« Reply #1 on: June 25, 2004, 22:17 »
It may be set to run from the registry, Dave.  Suggest you run Hijack This, which you should be able to 'fix' it with.   :)
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline daveeb

  • Loyal Member
  • *****
  • Posts: 4216
Re:monitor.exe
« Reply #2 on: June 26, 2004, 00:19 »
Thanks simon i'll try that.  its more of an annoyance than a big problem and digging deeper it seems other people appear to have had the same problem.  ;)

Offline daveeb

  • Loyal Member
  • *****
  • Posts: 4216
Re:monitor.exe
« Reply #3 on: June 26, 2004, 00:38 »
This is what i got....it seems to think the entries f0 and f2 which refer to monitor.exe have been altered.  question is what do i do if anything ?????    p.s.   i notice that all the "r" entries bar my home page refer to the site i was redirected to.


Logfile of HijackThis v1.97.7
Scan saved at 00:23:58, on 26/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Davee\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/default
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.14/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://195.225.176.14/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
F0 - system.ini: Shell=Explorer.exe monitor.exe
F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [monitor] Explorer.exe monitor.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.otherworldne.org.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Offline TR

  • Forum Fanatic
  • ******
  • Posts: 7149
Re:monitor.exe
« Reply #4 on: June 26, 2004, 08:54 »
Dave, Hi & Goodmorning.

There is one or two in there that looks a bit dodgy



Edit: just had a rethink  ;D

All those R1 & R0 they don't look right? I could be totaly wrong but they all say start page  :o

Hookstar


Offline Simon

  • Administrator
  • *****
  • Posts: 77923
  • First to score 7/7 in Quiz of The Week's News 2017
Re:monitor.exe
« Reply #5 on: June 26, 2004, 10:24 »
Whilst I'm no expert at these, I agree with Hook. :o  I think you should fix all of the following:
Quote
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/default
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.14/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://195.225.176.14/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
F0 - system.ini: Shell=Explorer.exe monitor.exe
F2 - REG:system.ini: Shell=Explorer.exe monitor.exe

O4 - HKCU\..\Run: [monitor] Explorer.exe monitor.exe


It's that last one which probably keeps popping up when you start the PC.  :(  Hopefully Dack will be along to have a look soon.  He's good at HJT logs.
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline daveeb

  • Loyal Member
  • *****
  • Posts: 4216
Re:monitor.exe
« Reply #6 on: June 26, 2004, 10:33 »
thanks guys  ;) i'll hang on and see what dack has to say before i start blundering through it all.  like i say the only problem i get to my knowledge is a couple of dialogue boxes complaining windows cant find monitor.exe which i just close....more of an annoyance than anything.

the btopenworld reference is actually my real homepage which i've sucessfully restored, the rest i think is dodgy.  i believe you can do without monitor.exe but i'll wait for further advice.   :P

Offline Dack

  • Established Member
  • ****
  • Posts: 831
Re:monitor.exe
« Reply #7 on: June 26, 2004, 11:51 »
Quick reply as currently in the middle of a crisis :)

The ones you need to delete are:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.14/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://195.225.176.14/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
F0 - system.ini: Shell=Explorer.exe monitor.exe
F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKCU\..\Run: [monitor] Explorer.exe monitor.exe



Much like Simon said :)

HOWEVER

It may be a new variation of Coolwebsearch and as it's attaching itself to Explorer it is probably worth you booting up in safe mode to try and clear them out.

hey promised the earth! Then delivered mud.
Technically it did meet the spec.

Offline daveeb

  • Loyal Member
  • *****
  • Posts: 4216
Re:monitor.exe
« Reply #8 on: June 26, 2004, 11:52 »
Thanks mate   ;)

Offline daveeb

  • Loyal Member
  • *****
  • Posts: 4216
Re:monitor.exe
« Reply #9 on: June 26, 2004, 12:12 »
Worked a treat many thanks guys and especially Dack for taking time out to sort it.

the 15 files i deleted ended up on the desktop as backup files so i've stuck 'em in a folder, presumably ok to delete them if all works ok.  :D ;)

Offline Dack

  • Established Member
  • ****
  • Posts: 831
Re:monitor.exe
« Reply #10 on: June 26, 2004, 13:08 »
Yep - thats what you get when you save/run things on the desktop :)

Now back to finishing the decorating/construction/cleaning up as I move all my computer equipment to the newly decorated garage :(

Expected to have it all finished by now but spent the last 3 days in and out of hospital due to the other half getting high blood pressure. Totally England match unrelated :)
hey promised the earth! Then delivered mud.
Technically it did meet the spec.

Offline daveeb

  • Loyal Member
  • *****
  • Posts: 4216
Re:monitor.exe
« Reply #11 on: June 26, 2004, 13:21 »
Hope your collective blood pressures are back to normal soon  ;)


Show unread posts since last visit.
Sponsor for PC Pals Forum